News and my experience working with GNU/Linux and open source softwares.

Friday, January 22, 2010

originalip option in dansguardian

I upgraded my firewall on Mandriva 2009.1 to 2010 and got into problem with dansguardian. Client computers got DansGuardian 400 - Bad Request, url is malformed for certain sites such as google and facebook. I suspected it must be related to new option introduced by newly installed dansguardian (2.10.1.1). In changelog, I got this:

Jan 21 17:18:39 firewall6 dansguardian[1090]: Destination host of dnl-15.geo.kaspersky.com did not match the original destination IP of 95.211.85.42 Jan 21 17:18:40 firewall6 dansguardian[1111]: Destination host of www.google-analytics.com did not match the original destination IP of 72.14.213.113 Jan 21 17:18:40 firewall6 dansguardian[1074]: Destination host of us.bc.yahoo.com did not match the original destination IP of 216.252.124.30 Jan 21 17:18:40 firewall6 dansguardian[1072]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202 Jan 21 17:18:41 firewall6 dansguardian[1091]: Destination host of dnl-04.geo.kaspersky.com did not match the original destination IP of 38.117.98.199 Jan 21 17:18:42 firewall6 dansguardian[1083]: Destination host of dnl-07.geo.kaspersky.com did not match the original destination IP of 38.117.98.199 Jan 21 17:18:42 firewall6 dansguardian[1116]: Destination host of newsrss.bbc.co.uk did not match the original destination IP of 212.58.226.73Jan 21 17:18:43 firewall6 dansguardian[1076]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202Jan 21 17:18:43 firewall6 dansguardian[1086]: Destination host of dnl-02.geo.kaspersky.com did not match the original destination IP of 38.117.98.196Jan 21 17:18:49 firewall6 dansguardian[1270]: Started sucessfully.

After diff'ing between previous dansguardian.conf (currently in use) and the current version of the file (not in use). It turned out that originalip option was the culprit. It was on by default if it wasn't in there. To turn it off, I must tell it off as below:

# Network Settings## the IP that DansGuardian listens on. If left blank DansGuardian will# listen on all IPs. That would include all NICs, loopback, modem, etc.# Normally you would have your firewall protecting this, but if you want# you can limit it to a certain IP. To bind to multiple interfaces,# specify each IP on an individual filterip line.filterip = 192.168.6.6

# the port that DansGuardian listens to.filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)proxyip = 127.0.0.1

# the port DansGuardian connects to proxy onproxyport = 3128

originalip = off

This is what changelog says about originalip option:

Fri 5th June 2009 - DansGuardian 2.10.1.1 - stable

Add "originalip" option to dansguardian.conf, for determining the original destination IP in transparent proxy set-ups, and ensuring that the destination domain of the request resolves to that IP. This can help to address a particular transparent proxy security vulnerability (US-CERT VU#435052), but because of certain limitations - only implemented on Linux/Netfilter; potential breakage of websites using round-robin DNS - the code is not enabled by default. Enable by passing "--enable-orig-ip" to the configure script. Fix a crash which could occur when dealing with simultaneous incoming connections in configurations using more than one listening socket. Fix a crash when checking time limits on item lists. Fix potential usage of uninitialised memory during phrase filtering.